Charities need to raise money. But they also need to protect it too.
Have you run an event for charity recently? 5K run? 10k? Maybe even a marathon? Perhaps you donate on a monthly basis to a local or national charity that you believe is doing great work and needs your support. That’s great.
But you want to know that the money you’re handing over is going to the cause you’re supporting. You’d hate to think it was being mis-spent on paying salaries, expensive cars, hotels, lavish lifestyles, drugs or worse. No, I’m not talking about the charity you’re supporting. I’m talking about the cyber criminals who are benefiting from your generosity because the charities you support aren’t doing enough to protect themselves.
Please Give Generously
It has been revealed in a report by the Department for Digital, Culture, Media and Sport that 22 percent of charities were subject to a breach or attack in 2018, and just over half of respondents identified cyber security as a key priority. However almost three quarters said they hadn’t invested in cyber security in the last twelve months, with 81 percent of these charities falling victim to phishing attacks.
Not Victim Blaming
For any organisation to be affected by a data breach and/or a cyber attack, is a terrible thing. But it is particularly distasteful when it affects charitable organisations. But the sad fact of the matter is, charities are organisations just like anyone else. They are subject to the same weaknesses as any other organisation, and cyber criminals simply don’t care who they target. They will always go for the ‘low hanging fruit’, and charities are not helping themselves when it is revealed in the same report that just over half of respondents identified cyber security as a key priority, but almost three quarters said they hadn’t invested in cyber security!
What many people fail to appreciate is that Cybercriminals are not just ‘teen hackers’ in their bedrooms carrying out attack, in a cunning game of skills. Quite often these are highly organised gangs using sophisticated tools to identify and attack organisations that are weak and ill prepared. Their ‘business model’ relies on targeting organisations that don’t have basic safeguards in place, but which do have access to lots of money. These hackers rely on organisations who haven’t invested in cyber security but do have high levels of transient staff (lack of training = less aware).
Cybercriminals may be a lot of things, but they’re not stupid. They know how to identify an easy target. They’re on the look-out for anyone who displays a weakness, and then they’ll exploit it. Sorry, but they don’t care if your charity is for the homeless, the sick and needy or for your favourite type of animal. All they care about is how they can separate the organisation from the money it holds.
What to do?
If you are a Charity you need to recognise (if you haven’t already) that you are a business. Yes you are there to raise money for a worthy cause, but you are still a business. Therefore you are a potential target of cybercriminals.
What you need to do is recognise that you need to take precautions and ensure all the money you raise is wisely spent on the important things; Like making sure you are secure.
The UK Government has given some great advice and guidance on how you can protect yourselves, and you can find a link here; https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security?curPage=/collection/10-steps-to-cyber-security/introduction-to-cyber-security/common-cyber-attacks-reducing-the-impact
The advice is very specific around technical controls, so you might want to pass this to the person responsible for IT. However I’d like to raise two additional very important points here:
People. People. People.
People are your greatest asset, but they can also be your biggest weakness People sometimes do silly things and can make mistakes. We’re all human, but training your staff will build them to be your best line of defence. Don’t rely solely on technology to protect your charitable organisation, because your technology can let you down when you need it most. If you train your staff, they won’t let you down.
If you didn’t realise already, you should know that I am a Consultant. My team and I are paid to offer advice and guidance on how to better protect yourselves in this modern age. If you need help then get help from a professional source, or research it and learn yourselves (it’s taken me 35 years to get to where I am today and I’m still learning). But get help.
Cybersecurity is not a ‘Fun Run’. It takes commitment and it takes investment. Spending money on Cybersecurity is an investment, not a cost.
When I’m giving to Charity I like to think it is going to a good cause. Not a bad excuse.